Search results

Gap Analysis Question

First is important to note that ISO 27001 does not require a gap analysis to be performed.

Considering that, you should define a scope for your gap analysis so you can understand which kind of questions you need to consider.

For example, if your gap analysis scope is Research and Development, it does not make sense to include questions related to HR or sales processes.

Additionally, we do not recommend using it for companies smaller than 500 employees because it would make your implementation unnecessarily complex.

You can access the ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

For further information, see:
- ISO 27001 gap analysis vs. risk assessment https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/

ISO 9001 Quality Inspection Records

Do these inspection records need to be considered as controlled documents?

Do they need to be given a document number, revision level, and approval?

Do they need to be kept on the document control master list?

Can a certified company transfer its ISO certificate to another company?

First, short answer - That is not possible.

Second, exceptions – but only applicable to the same site.

• When a company changes name.
• When a company is bought by another company, and the certification body is informed and agrees in keeping the certificate

Audit

I’m assuming that by external audit you refer to the certification audit.

Considering that, it is important to note that an internal audit is a mandatory requirement for ISO 27001 certification, so it needs to be performed before the certification audit.

To perform an internal audit you should consider these steps:

• Develop an internal audit procedure
• Plan your audits, considering dates, criteria, and scope
• Develop checklists to help you not forget something during the audit
• Elaborate on the audit report which will include the non-compliances and other findings

These articles will provide you with a further explanation of internal audit:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
• How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
• Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/

These materials will also help you regarding internal audit:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

To see what internal audit documents compliant with ISO 27001 look like, please take a look at this toolkit:

• ISO 27001/ISO 22301 Internal Audit Toolkit https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/

Aruba Products

Thank you!

ISO 27001 query

1. Can I seek your advise on the how much is the RTO usually set for a company offering SaaS based solutions? Does the ISO 22301 define any times? I understand that it depends on various org-specific factors, but want to get a idea on industry best practices.

ISO 22301 does not prescribe RTO values. Instead, it provides a framework for organizations to understand their business continuity needs and define the proper RTO values according to the criticality of their services and risk tolerance. Normally RTOs are measured in terms of hours, minutes, or seconds, with lower numbers representing less downtime but greater costs in investments.

You should avoid taking as reference values from other organizations because RTOs need to be based on the specificities of your own business.

For further information, see:

• What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/

2. We also had the below queries relating to BYOD, in case we want to implement a BYOD policy:

Should the organisation ensure an anti-malware / anti-virus solution has been installed on all personal devices?

Please note that security controls to be implemented need to be based on the results of risk assessment and applicable legal requirements.

In case you do not have any relevant risk, or laws, regulations, or contracts demanding an anti-malware / anti-virus solution, you do not need to implement it. However, in most cases, we see companies implementing anti-malware on all laptops.

For further information, see:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

3. What are the minimum device management controls that the org should have control over?

I understand that these are not specifically defined in the ISO 27001 standard, and therefore need your advise on what controls are considered bare minimum, and as per industry best practices, to help us pass the certification.

The same answer from the previous question applies here. You need to perform a risk assessment and evaluate applicable legal requirements to identify relevant controls to be implemented for device management.

Please note that simply applying best practices will not help you with the certification process, because the certification auditor will look for if you have implemented controls based on risk assessment and evaluation of legal requirements properly performed. Further, there are no "industry best practices" that would be universally accepted.

This material may help you:

• Checklist of Cyber Threats & Safeguards When Working From Home https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home

• Documentation requirements for the HR department according to ISO 9001

  Regarding the Human Resources department, one can think about:

  • Clear responsibilities and authorities for each job function (clause 5.3)
  • Clear competence requirements regarding each job function (clause 7.1.6)
  • Competence gaps determination and actions to close those gaps (clause 7.2)
  • Monitoring human resources department performance (clauses 9.1.1 and 9.1.3) 

  Based on this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ mandatory documentation requirements are:

  • Records of training, skills, experience, and qualifications (clause 7.2)
  • Monitoring and measurement results (clause 9.1.1) 

  Regarding the Controlling department one can think about:

  • Preparing information for the top management (clause 9.3)
  • Supplying information for decision-making processes (clauses 9.1.1 and 9.1.3)
  • Maintaining IT systems (?) (clause 7.1.3)
  • Relevant communication (clause 7.4) 

  Based on the same article mandatory documentation requirements are:

  • Results of the management review (clause 9.3
  • Monitoring and measurement results (clause 9.1.1)
     

• Secure coding

  I’m assuming this text is from the Secure development policy.

  Considering that, please note that the comments included in this section provide some examples of practices and principles for secure coding.

  Regarding a second layer of the document (i.e., specific procedures), please note that since each organization has its own specific set of procedures and principles for coding development and maintenance (based on the programing language used, development framework, etc.), it is unfeasible to provide a set of templates that covers existent possibilities.

  What you can do is refer to your already written procedures principles in this Policy. In case you still need to develop such documents, then you can use the blank template that is included in your toolkit to develop them.

  In case you need additional support, you can schedule an online meeting where one of our experts will help you develop these documents. To schedule a meeting, please click here: https://advisera.com/consultations/